1 Regulators should carry out the 
their activities in a way that supports those they regulate to comply and grow 

Ref | Requirements How we meet the requirements 

1.1 | Regulators should avoid imposing unnecessary 1CO’s DP Regulatory Action Policy details the guiding 
regulatory burdens through their regulatory activities | principles supporting decisions on enforcement. 
and should assess whether similar social, 
environmental and economic outcomes could be Recent work on self assessment for small and 
achieved by less burdensome means. Regulators medium sized enterprises, the change in approach to 
should choose proportionate approaches to those the handling of DP concerns (Project Eagle) and audit 
they regulate, based on relevant factors including, visits for charities, voluntary organisations and the 
business size and capacity. third sector evidence this. 

1.2 | When designing and reviewing policies, operational We regularly consult on how we regulate, including 
procedures and practices, regulators should consider | recently on online notification, the 2020 vision and 
how they might support or enable economic growth the changes in the approach to the handling of DP 
for compliant businesses and other regulated entities, | concerns. 
eg by considering how they can best: 

e understand and minimise negative economic In addition Strategic Liaison regularly engages with 
impacts of their regulatory activities; major stakeholders; our regional offices engage with 

e minimising the costs of compliance for those they | local stakeholders and in particular the devolved 
regulate; administrations and we have a comprehensive suite 

e improve confidence in compliance for those they of guidance and codes of practice available on our 
regulate; and website. 

e encourage and promote compliance. 

1.3 | Regulators should ensure that their officers have the | Many staff have DP BCS qualifications and/or the 
necessary knowledge and skills to support those they | audit qualification. 
regulate, including having an understanding of those 
they regulate that enables them to choose Strategic Liaison, audit teams and other parts of the 
proportionate and effective approaches. office are arranged sectorally and hence build 

knowledge their sector. We are also planning sectoral 
reference panels to explore changes in ICO regulation 
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1 Regulators should carry out the 
their activities in a way that supports those they regulate to comply and grow 
Ref | Requirements How we meet the requirements 
and “know about” sessions with representatives from 
SMEs and the Better Regulation Delivery Office. 
Our regional offices provide intelligence on their 
stakeholders which feeds into enforcement decisions. 
Visits to organisations (Such as when undertaking 
audits) allow staff to become familiar with sectors. 
1.4 | Regulators should ensure that staff understand the Good regulatory practice is built into the work of the 
statutory principles of good regulation and of this ICO and is supported by policies and procedures, for 
Code, and how the regulator delivers its activities in example the “know about” sessions referred to 
accordance with them. above. 
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2 Regulators should provide simple and straightforward ways to engage with those 
they regulate and hear their views 

Ref | Requirements How we meet the requirements 

2.1 | Regulators should have mechanisms in place to The ICO has a consultation policy and advertises 
engage those they regulate, citizens and others to consultations on Twitter, its home page and by enews 
offer views and contribute to development of policies | letter. It also undertakes research to track both 
and service standards. organisations’ understanding of their obligations and 

individuals” understandings of their rights. 

2.2 | Before changing policies, practices or service The ICO does this; evidenced by consultations on 
standards, regulators should consider the impact on changes to online notification, the 2020 vision and on 
business and engage with business representatives. the approach to the handling of DP concerns. 

2.3 | In responding to non-compliance, regulators should It is standard procedure that we discuss issues with 
explain what the non-compliance is, the advice being | data controllers before deciding on enforcement 
given, actions required/ decisions taken, and the action. 
reasons for these. Regulators should provide an 
opportunity for dialogue with a view to ensuring that | The audit process itself includes several opportunities 
they are acting in a proportionate and consistent for data controllers to input views and opinions. 
way’. 

2.4 | Regulators should provide an impartial and clear There are clear statutory rights of appeal against 
route to appeal against a regulatory decision or a enforcement decisions which all data controllers are 
failure to act in accordance with this Code. Individual | advised of when we decide to take action. There is 
officers who took the decision against which the also a complaints process for individuals and 
appeal is being made should not be involved in organisations; and the PHSO will consider complaints 
considering the appeal. This route to appeal should of mal-administration against the ICO. Finally the 
be publicised. Code is referenced in the ICO Complaints Procedure. 

2.5 | Regulators should provide a timely explanation in Formal appeals against ICO decisions are dealt with 


writing of any right to representation or right to 


by the Tribunal Service. However enforcement 


1 This paragraph does not apply where the regulator can demonstrate that immediate enforcement action is required to prevent or respond to a 


serious breach or where providing such an opportunity would be likely to defeat the purpose of the proposed enforcement action. 
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2 Regulators should provide simple and straightforward ways to engage with those 
they regulate and hear their views 

Ref | Requirements How we meet the requirements 
appeal. This explanation should be in plain language | notices go out with clear guidance in appeal rights. 
and include practical information on the process 
involved. 

2.6 | Regulators should make available to those they See 2.4 above. Details on service complaints can be 
regulate, clearly explained complaints procedures, found on our website. 
allowing them to easily make a complaint about the 
conduct of the regulator. 

2.7 | Regulators should have mechanisms to enable and We have a rolling series of customer satisfaction 
regularly invite, receive and take on board customer | surveys and the issuing and collection of a feedback 
feedback, including, for example, through customer questionnaire is a formal part of the audit process. 
satisfaction surveys of those they regulate. 
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their decision-making processes, including choosing 
the most appropriate intervention; targeting checks 
on compliance; and when taking enforcement action. 


3 _| Regulators should base their regulatory activities on risk 

Ref | Requirements How we meet the requirements 

3.1 | Regulators should take an evidence based approach IRC annually assesses the information rights risks 
to determining the priority risks in their area of and monitors progress in tackling them. Resources 
responsibility, and should allocate resources where are allocated as part of business planning. 
they would be most effective in addressing those 
risks. 

3.2 | Regulators should consider risk at every stage of The ICO does take a risk based approach to its 


enforcement activity. In particular when assessing 
data controller suitability for an audit we only seek 
consent from those data controllers which we believe 


demonstrate the highest risks. 


3.3 | Regulators designing a risk assessment framework, The ICO will provide a self assessment toolkit for 
for their own use or for use by others, should have SMEs and has published information on privacy 
mechanisms in place to consult on the design with impact assessments for use by others. These were 
those affected, and to review it regularly. consulted upon. 

3.4 | In an assessment of risk, regulators should recognise | The ICO does this as evidenced in the Project Eagle 
the compliance record of those they regulate, and work and decisions on how enforcement action is 
should consider all available relevant compliance decided upon. 
data, including evidence of relevant external 
verification. In addition Risk assessments to determine suitability 

for audit include consideration of complaints, 
enforcement action, policies published by the data 
controller, external audit reports and other publicly 
available information. 

3.5 | Regulators should review the effectiveness of their The ICO Plan 2014-2017 details that a review will 
chosen regulatory activities in delivering the desired take place, and that we will be researching the 
outcomes and make any necessary adjustments effectiveness of civil monetary penalties. 
accordingly. 
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4 __| Regulators should share information about compliance and risk 


Ref | Requirements 


How we meet the requirements 


4.1 | Regulators should collectively follow the principle of 
“collect once, use many times” when requesting 
information from those they regulate. 


The ICO is doing this with the simplified notification 
process and the use of the ICE database. 


4.2 | When the law allows, regulators should agree secure 
mechanisms to share information with each other 
about bodies they regulate, to help target resources. 


The ICO shares data as appropriate with 
organisations such as OFCOM, the Police, Treasury 
Solicitors, and internationally; when the law allows. 
Sharing is also governed by MOUs. 
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5 Regulators should ensure clear information, guidance and advice is available to 
help those they regulate meet their responsibilities to comply 

Ref | Requirements How we meet the requirements 

5.1 | Regulators should provide guidance focused on We do this in guidance and codes of practice, and 
helping organisation understand and meet their audit and audit visit reports clearly distinguish 
responsibilities. When doing so legal requirements between steps required for compliance and those that 
should be distinguished from good practice and the represent good practice. 
impact of the guidance should not impose 
unnecessary burdens in itself. 

5.2 | Regulators should publish guidance, and information |The ICO seeks to do this as evidenced by the plain 
in a clear, accessible, concise format, using media English certification of the general DP guidance. 
appropriate to the target audience and written in 
plain language for the audience. 

5.3 | Regulators should have mechanisms in place to The ICO has a consultation policy and advertises 
consult those they regulate in relation to the consultations on Twitter, its home page and by enews 
guidance they produce to ensure that it meets their letter. We also form small groups to consult on 
needs. specific matters, for example the recent Leveson 

workshops. There is also an ICO Policy Development 
methodology that we use when developing guidance 
which ensures rigour in our process. 

5.4 | Regulators should seek to create an environment in The ICO does this, for example in not taking formal 
which those they regulate have confidence in the enforcement action against failures to comply 
advice they receive and feel able to seek advice identified by ICO audits. People can also seek 
without fear of triggering enforcement action. anonymous help from our telephone helpline. 

5.5 | In responding to requests for advice, a regulator’s The ICO does this already. It receives over 200k 
primary concerns should be to provide the advice enquiries in the course of the year. 
necessary to support compliance, and to ensure that 
the advice can be relied on. 

5.6 | Regulators should have mechanisms to work The ICO does discuss how best to enforce with other 
collaboratively to assist those regulated by more than | regulators who have an interest in an issue and we 

Version 3 


04082014 


5 Regulators should ensure clear information, guidance and advice is available to 
help those they regulate meet their responsibilities to comply 
Ref | Requirements How we meet the requirements 
one regulator. Regulators should consider advice have memorandum of understanding with many 
provided by other regulators and, where there is regulators, copies of which are available on our 
disagreement about the advice, this should be website. These discussions include devolved 
discussed with the other regulator to reach regulators. 
agreement. 
Working with other regulators is also clearly 
signposted in the recent 2020 consultation and in the 
Strategic Liaison business plan. 
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6 Regulators should ensure that their approach to their regulatory activities is 
transparent 
Ref | Requirements How we meet the requirements 
6.1 | Regulators should publish a set of clear service ICO service standards are published on our website. 
standards, setting out what those they regulate 
should expect from them. 
6.2 | Regulators’ published service standards should 
include clear information on 
a) how they communicate with those they regulate and | Contact details are published on the website. 
how they can be contacted; 
b) their approach to providing information, guidance The ICO publishes its three year rolling Plan which 
and advice; details what its aims are and how it will meet them. 
Cc) their approach to checks on compliance, including We publish “Auditing data protection; a guide to ICO 
details of the risk assessment framework used to data protection audits”, and “A guide to ICO advisory 
target those checks and protocols for their conduct, visits”. Both provide information relevant to the code 
clearly setting out what those they regulate should requirements. 
expect; 
Letters of Engagement for audits set out the clear 
expectations of the ICO and make clear delivery 
commitments. 
d) | their enforcement policy, explaining how they The DP regulatory action policy is published on our 
respond to non-compliance; website. We also publish our “Standard operating 
procedure; monetary penalty notices”. 
e) information on fees and charges, clearly explaining We do not charge fees other than the statutory 
the basis on which these are calculated and an notification fee and for some ICO conferences. 
explanation of how compliance will affect fees and 
charges; and 
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6 |Regulators should ensure that their approach to their regulatory activities is 
transparent 

Ref | Requirements How we meet the requirements 
f) how to comment or complain about service Details on service complaints and how to appeal can 
provided and how to appeal. be found on our website. 

6.3 | Information published to meet the requirements of Information about how the ICO regulates is available 
this Code should be easily accessible, including being | across its website. Further information is targeted at 
available at a single point on the regulator’s website | organisations the ICO regulates on a day to day basis 
that is clearly signposted, and is kept up to date. as and when needed, eg when taking forward issues 

with the organisation. 

Because of this targeted approach, and the regular 
research into how the website is used, it is not 
thought necessary to pull together the information 
about the code into one place on the website. 
However reference to the code and how the ICO has 
regard for it is available on the “How we work” part 
of the website. 

6.4 | Regulators should have mechanisms in place to The available mechanisms are line management, the 
ensure that their officers act in accordance with their | core competencies, and training. 
published service standards, including their 
enforcement policy. 

6.5 | Regulators should publish, on a regular basis, details | Performance against service standards is published. 
of their performance against their service standards, 
including feedback received from those they regulate, | Feedback from our audit and audit visit activity is 
such as customer satisfaction surveys, and data regularly published in our sectoral outcomes reports. 
relating to complaints about them and appeals 
against their decisions. 
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